Mozilla Firefox and Google Chrome Vulnerabilities
Mozilla Firefox Vulnerabilities
They released updates for Firefox and Firefox ESR. Thirteen vulnerabilities were fixed in Firefox and nine vulnerabilities in Firefox ESR by using a vulnerability management tool. Also, Mozilla has rated these updates as critical which indicates that these security loopholes can be used by an attacker to run arbitrary code and install malicious software with minimal to no user interaction beyond normal browsing.
Some of the important vulnerabilities in this release which a patch management tool can remediate are:
- CVE-2019-11764 is a set of critical memory safety bugs in Firefox and Firefox ESR. Some of these are memory corruption bugs which could be exploited to allow arbitrary code execution.
- CVE-2019-15903 is a heap-based buffer over-read (CWE-126) vulnerability in ‘XML_GetCurrentLineNumber’ which could allow disclosure of sensitive information or an application crash.
- CVE-2019-11757 is a use-after-free (CWE-416) vulnerability in ‘IndexedDB’ which could allow execution of arbitrary code or an application crash.
CVE-2018-6156 and then CVE-2019-11758 are the other high severity vulnerabilities in Firefox and Firefox ESR respectively.
Google Chrome Vulnerabilities
Google released an update for Chrome. As per the advisory, this update includes 37 security fixes as a part of 21 CVEs. These vulnerabilities allow an attacker to execute arbitrary code in the context of the browser, access sensitive information, bypass security restrictions, perform unauthorized actions, and cause denial-of-service conditions. A user tricked into visiting a malicious page or redirected using a crafted url in order to exploit these vulnerabilities.
Three vulnerabilities in Chrome rated high. CVE-2019-13699 is a use-after-free(CWE-416) issue which could lead to arbitrary code execution or denial of service. CVE-2019-13700 and CVE-2019-13701 are the other important vulnerabilities in Chrome which are classified as buffer overrun(buffer overflow) and URL spoofing respectively.
Affected Products
Mozilla Firefox versions before 70,
Mozilla Firefox ESR versions before 68.2 and
Google Chrome versions before 78.0.3904.70
Impact
Successful exploitation of these vulnerabilities allows an attacker to execute arbitrary code, access sensitive information, bypass security restrictions or crash the application.
Solution
Please refer to the corresponding KB Articles for Mozilla Firefox and Google Chrome which replaced by KB Article to apply the patches using SanerNow.